Cyber Security: The Human Risk

The Unattended Terminal

This article originally started out with the intention of highlighting some of the risk factors associated with today’s most common data breaches and ways to help mitigate them, but a recent trip through a Vegas casino (I won’t name names to avoid any embarrassment) led me down a different path. This past weekend I was walking with my girlfriend through the floor of one of Vegas’ more renowned casinos—one that does close to $100 million in revenue per year, not insignificant by any means, but definitely not a major player—and I noticed something that struck me as odd. A computer terminal, sitting unattended and logged in, right on the casino floor, open to anyone, nefarious and virtuous, that would happen upon it.

That seemed to me to be quite the security risk, any ill-intentioned individual or script-kiddie for that matter, with some easily downloadable code could’ve walked up to that terminal, that was more than likely connected to the rest of the network, and installed anything from the latest key logging software to spyware and malware. Now, I know what you’re going to say. “What about all the cameras and security, surely no one would be able to walk up to a terminal without someone noticing.” While casinos do, in the public’s eye at least, have rigorous security protocols and cameras that supposedly monitor every angle of every nook and cranny throughout the entire property, this article isn’t about that; it’s about the human side of the data/cyber/IT-security equation. Regardless of the latest tech installed, or however many monitoring stations are installed, everything at some point ends up in front of a human being. Despite every security protocol this casino had in place, and however many times they require their employees to change their password, this terminal was left unattended, and more importantly, logged in, due to human error; due to an individual forgetting to click “Log Out”. It happens all the time, and admitting it and incorporating human error, goes a long way towards architecting a proactive and well thought out IT security policy.

The user’s going to pick dancing pigs over security every time

— Bruce Schneier

Only Amateurs Attack Machines, Professionals Target People

Along with quite a few other memorable quotes, such as “The user’s going to pick dancing pigs over security every time” or “More people are killed every year by pigs than by sharks, which shows you how good we are at evaluating risk”, Bruce Schneier, American cryptographer, computer security and privacy specialist, and writer, is famous for another one, “Only amateurs attack machines, professionals target people.” Most efforts to improve cyber security focus primarily on incorporating new technological approaches in products and processes. However, a key element of improvement involves acknowledging the importance of human behavior when designing, building and using cyber security technology. According to a 2014 IBM Security Report, over 95 percent of all incidents investigated recognize “human error” as a contributing factor. The most commonly recorded form of human errors include system misconfiguration, poor patch management, use of default user names and passwords or easy-to-guess passwords, lost laptops or mobile devices, and disclosure of regulated information via use of an incorrect email address. The most prevalent contributing human error? “Double clicking” on an infected attachment or unsafe URL.

The Problem that isn't Going Away

2014 will be remembered for such highly publicized mega breaches as Sony Pictures Entertainment, JPMorgan Chase & Co. and more recent ones like Home Depot and AshleyMadison.com. Sony suffered a major online attack that resulted in employees’ personal data and corporate correspondence being leaked. The JPMorgan Chase & Co. data breach affected 76 million households and seven million small businesses. Home Depot’s breach resulted in the compromise of 56 million credit card records and AshleyMadison.com, a US ex-marital affairs service, experienced 37 million personally identifiable records being held hostage until the site shut down. Despite all of our advances in technology, data breaches have been on the rise, as this interesting infographic shows. In 2014 alone, more than a billion records of personally identifiable information—including names, emails, credit card numbers and passwords—were stolen.

Particularly worrisome are phishing campaigns, which are comparatively easy to initiate and can rapidly spread across an organization, targeting top executives as well as employees and managers. Almost one-third (31%) of respondents to the 2015 US Cybercrime Survey said they had been hit by a phishing attack in 2014, making it one of the most frequent types of incidents. Distributed denial of service (DDoS) attacks are becoming increasingly potent and are one of the most frequent types of cybersecurity incidents, cited by 18% of survey respondents this year. DDoS assaults most often result in damage to reputation, but they also can put businesses at risk by disrupting e-commerce and other business processes.

The Average per Record Cost of a Data Breach

FY 2015. Measured in US Dollars.

The Cost of a Data Breach

Damage from such data breaches can be severe, and aren’t always quantifiable on paper. If consumers lose faith in a company’s ability to keep their personal data safe, the company can ultimately lose customers. Most certainly they stand to lose money, and in some cases, intellectual property. In its most recent analysis, the Ponemon Institute found that in 2015 each lost data record cost companies an average of $154 per record, up from $145 the previous year, with companies in US losing the most per record for each data breach ($217), followed by Germany ($211), and companies in India the least at $56.

Based on that global average cost per record that means:

A major retailer with a million leaked credit cards, could be looking at more than $154 million in direct costs, including fines.

A university that leaked 40,000 records could suffer over $5.4 million in losses

Average per Record Cost of a Data Breach by Industry

FY 2015. Measured in US Dollars

Ponemon found that more heavily regulated industries such as healthcare, education, finance, and pharmaceuticals had the highest per record data breach costs, but one of their more interesting findings was the 57% increase from 2014 to 2015 in the per record cost for the retail sector. This can more than likely be contributed to media reporting of these events and consumers’ concerns about identity theft that caused retail companies to spend more money to address the consequences of data breaches.

With More Data Comes More... Vulnerability—and More Insight

You thought I was going to say responsibility didn’t you. Despite my desire to reference Spiderman, the vast quantities of data we create today can be a double edged sword. As companies around the world continue to expand their businesses and IT infrastructure—adding more devices and increasing connectivity across their organizations—their volumes of data requiring 24x7 monitoring also continue to grow. That can increase an organization’s vulnerability by making it even more difficult to develop and deploy effective measures to fend off cyber attacks, but at the same time, such growth creates enormous quantities of data on security events. It also presents us with the challenge of understanding what all that data means and deciding what to do about it. In 2013, IBM’s global monitoring operations and analysts determined the average company experienced 91 million security events. While virtually no company in the world is capable of dealing with 91 million security events in a year, you’ll be happy to note that only a fraction of those 91 million events—109 to be exact—end up being classified as an actual incident. The real challenge is in determining which of those events deserve further attention. So, while the number of events continues to grow, so does our ability to analyze and manage them more efficiently.

Security event: An event on a system or network detected by a security device or application. Security attack: A security event that has been identified by correlation and analytics tools as malicious activity that is attempting to collect, disrupt, deny, degrade or destroy information system resources or the information itself. Security incident: An attack or security event that has been reviewed and deemed worthy of deeper investigation. Security breach: An incident that has successfully defeated security measures and accomplished its designated task.

A Lopsided Investment in Technology

109 events a year sounds like a much more manageable number, one that many more organizations are capable of dealing with. However, compare that to some of the responses from the 2015 US Cybercrime Survey and the landscape begins to paint a much more pessimistic picture. Almost half (47%) said that adding new technologies is a spending priority, higher than all other cyber-risk spending initiatives. Only 15% cited redesigning processes as a priority and 33% prioritized adding new skills and capabilities. So, despite the ever evolving threat landscape, roughly 85% of companies believe they have all the internal processes they need in place, while adding new technologies into their organizations, and 67% believe their personnel are capable and adept enough to deal with a security breaches as a result of this new technology. Now, when asked whether organizations have the expertise to address cyber-risks associated with implementation of new technologies, only 26% said they have capable personnel on staff. Something doesn’t add up here, and it doesn’t take a math whiz to realize why security breaches are so prevalent.

Cyber-Risk Spending Priorities

% of respondents who claim this a priority

Why Technology Alone isn't Enough

Companies that implement new technologies without updating processes and providing employee training will very likely not realize the full value of their spending. To be truly effective, a cybersecurity program must carefully balance technology capabilities with redesigned processes and staff training skills. Employee training and awareness continues to be a critical—and often neglected— component of cybersecurity. Only half (50%) of survey respondents said they conduct periodic security awareness and training programs, and the same number offer security training for new employees.

Security policies these days are akin to relying on adult to accompany a child across the road every time, as opposed to teaching the child how to cross the road safely. As Shari Pfleeger and Deanna Caputo pointed out in “Leveraging Behavioral Science to Mitigate Cyber Security Risk”. Problems of appropriate response to cyber incidents are exacerbated when security technology is perceived as an obstacle to the user. The individual may be overwhelmed by difficulties in security implementation, or may mistrust, misinterpret or override the security. A recent study of users at Virginia Tech illustrates the problem. They examined user attitudes and the “resistance behavior” of individuals faced with a mandatory password change. The researchers found that, even when passwords were changed as required, the changes were intentionally delayed and the request perceived as being an unnecessary interruption. People are conscious that a password breach can have severe consequences, but it does not affect their attitude toward the security policy implementation. I’m not arguing for getting rid of mandatory password requirements, but for a security policy that works with an organization, as opposed to against it. Giving employees the appropriate tools and education to understand the threat landscape and how to protect themselves can help achieve desired outcomes without security being perceived as onerous and burdensome.

Whether you’re the employee who left their terminal unattended for 5 minutes, as it was in my experience, while you walk away to get a cup of coffee, or you’re the CIO of that same organization who prioritizes new technologies as opposed training staff and adding new skills and capabilities, the human factor is always present, and will always be the weak link in the chain.

Why Act Now?

It used to be that banks were the primary target of cyber criminals, but today, diverse actors move with lightening speed to steal money, intellectual property, customer information and state secrets across all sectors. Criminals, at least from what I know, are not known for relenting. Once you’re a target, they will spend as much time trying to break into your enterprise as you spend on your core business. If you don’t have visibility into attacks as they happen, the criminals will succeed. Recent attacks demonstrate that victims were compromised for months before they discovered it. Assuming you have already been breached is the best premise to operate under. Organizations must summon the vision, determination, skills and resources to build a risk-based cybersecurity program that can quickly detect, respond to and limit fast-moving threats. Those that do not risk becoming tomorrow’s front-page news.